1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: privatecacapools.privateca.cnrm.cloud.google.com
27spec:
28 group: privateca.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: PrivateCACAPool
33 plural: privatecacapools
34 shortNames:
35 - gcpprivatecacapool
36 - gcpprivatecacapools
37 singular: privatecacapool
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 issuancePolicy:
75 description: Optional. The IssuancePolicy to control how Certificates
76 will be issued from this CaPool.
77 properties:
78 allowedIssuanceModes:
79 description: Optional. If specified, then only methods allowed
80 in the IssuanceModes may be used to issue Certificates.
81 properties:
82 allowConfigBasedIssuance:
83 description: Optional. When true, allows callers to create
84 Certificates by specifying a CertificateConfig.
85 type: boolean
86 allowCsrBasedIssuance:
87 description: Optional. When true, allows callers to create
88 Certificates by specifying a CSR.
89 type: boolean
90 type: object
91 allowedKeyTypes:
92 description: Optional. If any AllowedKeyType is specified, then
93 the certificate request's public key must match one of the key
94 types listed here. Otherwise, any key may be used.
95 items:
96 properties:
97 ellipticCurve:
98 description: Represents an allowed Elliptic Curve key type.
99 properties:
100 signatureAlgorithm:
101 description: 'Optional. A signature algorithm that must
102 be used. If this is omitted, any EC-based signature
103 algorithm will be allowed. Possible values: EC_SIGNATURE_ALGORITHM_UNSPECIFIED,
104 ECDSA_P256, ECDSA_P384, EDDSA_25519'
105 type: string
106 type: object
107 rsa:
108 description: Represents an allowed RSA key type.
109 properties:
110 maxModulusSize:
111 description: Optional. The maximum allowed RSA modulus
112 size, in bits. If this is not set, or if set to zero,
113 the service will not enforce an explicit upper bound
114 on RSA modulus sizes.
115 format: int64
116 type: integer
117 minModulusSize:
118 description: Optional. The minimum allowed RSA modulus
119 size, in bits. If this is not set, or if set to zero,
120 the service-level min RSA modulus size will continue
121 to apply.
122 format: int64
123 type: integer
124 type: object
125 type: object
126 type: array
127 baselineValues:
128 description: Optional. A set of X.509 values that will be applied
129 to all certificates issued through this CaPool. If a certificate
130 request includes conflicting values for the same properties,
131 they will be overwritten by the values defined here. If a certificate
132 request uses a CertificateTemplate that defines conflicting
133 predefined_values for the same properties, the certificate issuance
134 request will fail.
135 properties:
136 additionalExtensions:
137 description: Optional. Describes custom X.509 extensions.
138 items:
139 properties:
140 critical:
141 description: Optional. Indicates whether or not this
142 extension is critical (i.e., if the client does not
143 know how to handle this extension, the client should
144 consider this to be an error).
145 type: boolean
146 objectId:
147 description: Required. The OID for this X.509 extension.
148 properties:
149 objectIdPath:
150 description: Required. The parts of an OID path.
151 The most significant parts of the path come first.
152 items:
153 format: int64
154 type: integer
155 type: array
156 required:
157 - objectIdPath
158 type: object
159 value:
160 description: Required. The value of this X.509 extension.
161 type: string
162 required:
163 - objectId
164 - value
165 type: object
166 type: array
167 aiaOcspServers:
168 description: Optional. Describes Online Certificate Status
169 Protocol (OCSP) endpoint addresses that appear in the "Authority
170 Information Access" extension in the certificate.
171 items:
172 type: string
173 type: array
174 caOptions:
175 description: Optional. Describes options in this X509Parameters
176 that are relevant in a CA certificate.
177 properties:
178 isCa:
179 description: Optional. Refers to the "CA" X.509 extension,
180 which is a boolean value. When this value is missing,
181 the extension will be omitted from the CA certificate.
182 type: boolean
183 maxIssuerPathLength:
184 description: Optional. Refers to the path length restriction
185 X.509 extension. For a CA certificate, this value describes
186 the depth of subordinate CA certificates that are allowed.
187 If this value is less than 0, the request will fail.
188 If this value is missing, the max path length will be
189 omitted from the CA certificate.
190 format: int64
191 type: integer
192 zeroMaxIssuerPathLength:
193 description: Optional. When true, the "path length constraint"
194 in Basic Constraints extension will be set to 0. if
195 both max_issuer_path_length and zero_max_issuer_path_length
196 are unset, the max path length will be omitted from
197 the CA certificate.
198 type: boolean
199 type: object
200 keyUsage:
201 description: Optional. Indicates the intended use for keys
202 that correspond to a certificate.
203 properties:
204 baseKeyUsage:
205 description: Describes high-level ways in which a key
206 may be used.
207 properties:
208 certSign:
209 description: The key may be used to sign certificates.
210 type: boolean
211 contentCommitment:
212 description: The key may be used for cryptographic
213 commitments. Note that this may also be referred
214 to as "non-repudiation".
215 type: boolean
216 crlSign:
217 description: The key may be used sign certificate
218 revocation lists.
219 type: boolean
220 dataEncipherment:
221 description: The key may be used to encipher data.
222 type: boolean
223 decipherOnly:
224 description: The key may be used to decipher only.
225 type: boolean
226 digitalSignature:
227 description: The key may be used for digital signatures.
228 type: boolean
229 encipherOnly:
230 description: The key may be used to encipher only.
231 type: boolean
232 keyAgreement:
233 description: The key may be used in a key agreement
234 protocol.
235 type: boolean
236 keyEncipherment:
237 description: The key may be used to encipher other
238 keys.
239 type: boolean
240 type: object
241 extendedKeyUsage:
242 description: Detailed scenarios in which a key may be
243 used.
244 properties:
245 clientAuth:
246 description: Corresponds to OID 1.3.6.1.5.5.7.3.2.
247 Officially described as "TLS WWW client authentication",
248 though regularly used for non-WWW TLS.
249 type: boolean
250 codeSigning:
251 description: Corresponds to OID 1.3.6.1.5.5.7.3.3.
252 Officially described as "Signing of downloadable
253 executable code client authentication".
254 type: boolean
255 emailProtection:
256 description: Corresponds to OID 1.3.6.1.5.5.7.3.4.
257 Officially described as "Email protection".
258 type: boolean
259 ocspSigning:
260 description: Corresponds to OID 1.3.6.1.5.5.7.3.9.
261 Officially described as "Signing OCSP responses".
262 type: boolean
263 serverAuth:
264 description: Corresponds to OID 1.3.6.1.5.5.7.3.1.
265 Officially described as "TLS WWW server authentication",
266 though regularly used for non-WWW TLS.
267 type: boolean
268 timeStamping:
269 description: Corresponds to OID 1.3.6.1.5.5.7.3.8.
270 Officially described as "Binding the hash of an
271 object to a time".
272 type: boolean
273 type: object
274 unknownExtendedKeyUsages:
275 description: Used to describe extended key usages that
276 are not listed in the KeyUsage.ExtendedKeyUsageOptions
277 message.
278 items:
279 properties:
280 objectIdPath:
281 description: Required. The parts of an OID path.
282 The most significant parts of the path come first.
283 items:
284 format: int64
285 type: integer
286 type: array
287 required:
288 - objectIdPath
289 type: object
290 type: array
291 type: object
292 policyIds:
293 description: Optional. Describes the X.509 certificate policy
294 object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
295 items:
296 properties:
297 objectIdPath:
298 description: Required. The parts of an OID path. The
299 most significant parts of the path come first.
300 items:
301 format: int64
302 type: integer
303 type: array
304 required:
305 - objectIdPath
306 type: object
307 type: array
308 type: object
309 identityConstraints:
310 description: Optional. Describes constraints on identities that
311 may appear in Certificates issued through this CaPool. If this
312 is omitted, then this CaPool will not add restrictions on a
313 certificate's identity.
314 properties:
315 allowSubjectAltNamesPassthrough:
316 description: Required. If this is true, the SubjectAltNames
317 extension may be copied from a certificate request into
318 the signed certificate. Otherwise, the requested SubjectAltNames
319 will be discarded.
320 type: boolean
321 allowSubjectPassthrough:
322 description: Required. If this is true, the Subject field
323 may be copied from a certificate request into the signed
324 certificate. Otherwise, the requested Subject will be discarded.
325 type: boolean
326 celExpression:
327 description: Optional. A CEL expression that may be used to
328 validate the resolved X.509 Subject and/or Subject Alternative
329 Name before a certificate is signed. To see the full allowed
330 syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel
331 properties:
332 description:
333 description: Optional. Description of the expression.
334 This is a longer text which describes the expression,
335 e.g. when hovered over it in a UI.
336 type: string
337 expression:
338 description: Textual representation of an expression in
339 Common Expression Language syntax.
340 type: string
341 location:
342 description: Optional. String indicating the location
343 of the expression for error reporting, e.g. a file name
344 and a position in the file.
345 type: string
346 title:
347 description: Optional. Title for the expression, i.e.
348 a short string describing its purpose. This can be used
349 e.g. in UIs which allow to enter the expression.
350 type: string
351 type: object
352 required:
353 - allowSubjectAltNamesPassthrough
354 - allowSubjectPassthrough
355 type: object
356 maximumLifetime:
357 description: Optional. The maximum lifetime allowed for issued
358 Certificates. Note that if the issuing CertificateAuthority
359 expires before a Certificate's requested maximum_lifetime, the
360 effective lifetime will be explicitly truncated to match it.
361 type: string
362 passthroughExtensions:
363 description: Optional. Describes the set of X.509 extensions that
364 may appear in a Certificate issued through this CaPool. If a
365 certificate request sets extensions that don't appear in the
366 passthrough_extensions, those extensions will be dropped. If
367 a certificate request uses a CertificateTemplate with predefined_values
368 that don't appear here, the certificate issuance request will
369 fail. If this is omitted, then this CaPool will not add restrictions
370 on a certificate's X.509 extensions. These constraints do not
371 apply to X.509 extensions set in this CaPool's baseline_values.
372 properties:
373 additionalExtensions:
374 description: Optional. A set of ObjectIds identifying custom
375 X.509 extensions. Will be combined with known_extensions
376 to determine the full set of X.509 extensions.
377 items:
378 properties:
379 objectIdPath:
380 description: Required. The parts of an OID path. The
381 most significant parts of the path come first.
382 items:
383 format: int64
384 type: integer
385 type: array
386 required:
387 - objectIdPath
388 type: object
389 type: array
390 knownExtensions:
391 description: Optional. A set of named X.509 extensions. Will
392 be combined with additional_extensions to determine the
393 full set of X.509 extensions.
394 items:
395 type: string
396 type: array
397 type: object
398 type: object
399 location:
400 description: Immutable. The location for the resource
401 type: string
402 projectRef:
403 description: Immutable. The Project that this resource belongs to.
404 oneOf:
405 - not:
406 required:
407 - external
408 required:
409 - name
410 - not:
411 anyOf:
412 - required:
413 - name
414 - required:
415 - namespace
416 required:
417 - external
418 properties:
419 external:
420 description: |-
421 The project for the resource
422
423 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
424 type: string
425 name:
426 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
427 type: string
428 namespace:
429 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
430 type: string
431 type: object
432 publishingOptions:
433 description: Optional. The PublishingOptions to follow when issuing
434 Certificates from any CertificateAuthority in this CaPool.
435 properties:
436 publishCaCert:
437 description: Optional. When true, publishes each CertificateAuthority's
438 CA certificate and includes its URL in the "Authority Information
439 Access" X.509 extension in all issued Certificates. If this
440 is false, the CA certificate will not be published and the corresponding
441 X.509 extension will not be written in issued certificates.
442 type: boolean
443 publishCrl:
444 description: Optional. When true, publishes each CertificateAuthority's
445 CRL and includes its URL in the "CRL Distribution Points" X.509
446 extension in all issued Certificates. If this is false, CRLs
447 will not be published and the corresponding X.509 extension
448 will not be written in issued certificates. CRLs will expire
449 7 days from their creation. However, we will rebuild daily.
450 CRLs are also rebuilt shortly after a certificate is revoked.
451 type: boolean
452 type: object
453 resourceID:
454 description: Immutable. Optional. The name of the resource. Used for
455 creation and acquisition. When unset, the value of `metadata.name`
456 is used as the default.
457 type: string
458 tier:
459 description: 'Immutable. Required. Immutable. The Tier of this CaPool.
460 Possible values: TIER_UNSPECIFIED, ENTERPRISE, DEVOPS'
461 type: string
462 required:
463 - location
464 - projectRef
465 - tier
466 type: object
467 status:
468 properties:
469 conditions:
470 description: Conditions represent the latest available observation
471 of the resource's current state.
472 items:
473 properties:
474 lastTransitionTime:
475 description: Last time the condition transitioned from one status
476 to another.
477 type: string
478 message:
479 description: Human-readable message indicating details about
480 last transition.
481 type: string
482 reason:
483 description: Unique, one-word, CamelCase reason for the condition's
484 last transition.
485 type: string
486 status:
487 description: Status is the status of the condition. Can be True,
488 False, Unknown.
489 type: string
490 type:
491 description: Type is the type of the condition.
492 type: string
493 type: object
494 type: array
495 observedGeneration:
496 description: ObservedGeneration is the generation of the resource
497 that was most recently observed by the Config Connector controller.
498 If this is equal to metadata.generation, then that means that the
499 current reported status reflects the most recent desired state of
500 the resource.
501 type: integer
502 type: object
503 required:
504 - spec
505 type: object
506 served: true
507 storage: true
508 subresources:
509 status: {}
510status:
511 acceptedNames:
512 kind: ""
513 plural: ""
514 conditions: []
515 storedVersions: []
View as plain text